I Built an AI Code Review Pipeline — One Command for Review + Auto-Fix + Tests + Report

Conor — Tue, 14 Apr 2026 07:52:15 +0000

I Built an AI Code Review Pipeline — One Command for Review + Auto-Fix + Tests + Report

Zero dependencies, 6 AI providers, runs with npx. Quality control for the Vibe Coding era.

The Problem: Who Reviews AI-Generated Code?

AI-assisted coding tools (Cursor, Copilot, Windsurf) have made us 3-5x faster. But they've also created a new problem:

AI writes fast, but who ensures quality?

You let Cursor write a component. It runs. But:

Any XSS vulnerabilities?
Edge cases handled? Null checks?
Types all any?
Error handling silently swallowing exceptions?

Manual code review? If you're a solo dev, a small team, or just busy shipping — there's no time.

So I built ai-review-pipeline — let AI review AI-generated code.

npx ai-review-pipeline

One command: Review → Test generation → HTML report. Fully automated.

What It Does

Default Mode: Review + Tests + Report (Read-Only)

npx ai-rp --file src/ --full

Pipeline:

① AI Code Review (score + issue list + fix suggestions)
       ↓
② AI Test Case Generation (functional / adversarial / edge cases)
       ↓
③ HTML Visual Report
       ↓
④ Has 🔴 issues → exit(1) blocks CI; all green → exit(0) passes

Doesn't touch your code. Review only, report only.

Terminal output in action:

![Terminal screenshot — AI Review real-time output]

--fix Mode: Automated Fix Loop

npx ai-rp --fix --file src/views/Home.vue --full

① Review → finds 3 🔴 issues
       ↓
② AI auto-fix (quality issues only, never touches business logic)
       ↓
③ Re-review → 1 🔴 remaining
       ↓
④ Fix again → re-review → 0 🔴 ✅
       ↓
⑤ Test case generation
       ↓
⑥ HTML report
       ↓
⑦ Auto git commit

Keeps fixing until clean, up to N rounds (default 5). If still not clean after N rounds? It won't get stuck — generates tests and report anyway, then exit(1) to tell CI "still has issues."

Auto-generated HTML report:

![HTML Report — score, severity levels, fix suggestions at a glance]

Get Started in 30 Seconds

# 1. Set an API key (pick any AI provider)
echo 'OPENAI_API_KEY=sk-xxx' >> .env.local

# 2. Run
npx ai-review-pipeline --file src/ --full

That's it. No npm install. No config file. No account signup.

6 AI Providers, Auto-Detected

OPENAI_API_KEY=sk-xxx              # → OpenAI
DEEPSEEK_API_KEY=sk-xxx            # → DeepSeek
ANTHROPIC_API_KEY=sk-ant-xxx       # → Claude
DASHSCOPE_API_KEY=sk-xxx           # → Qwen (Alibaba)
GEMINI_API_KEY=xxx                 # → Google Gemini
AI_REVIEW_PROVIDER=ollama          # → Local Ollama (free, private)

Provider	Default Model	Best For
OpenAI	gpt-4o-mini	Stable, great ecosystem
DeepSeek	deepseek-chat	Cheapest, fast
Claude	claude-sonnet-4	Strongest code understanding
Gemini	gemini-2.0-flash	Generous free tier
Ollama	qwen2.5-coder	Fully local, zero cost

Don't want to send code to the cloud? Use Ollama:

ollama pull qwen2.5-coder
echo 'AI_REVIEW_PROVIDER=ollama' >> .env.local
npx ai-rp --file src/ --full

What It Reviews

Issues are categorized by severity:

🔴 Critical (Blocks Merge)

Logic errors, security vulnerabilities (XSS, injection, credential leaks), data risks (race conditions, precision errors)

🟡 Warning (Should Fix)

Unhandled edge cases (null, undefined, timeout), type issues (any, unsafe casts), missing error handling

🟢 Info (Improve Later)

Code duplication, unclear naming, performance hints

Test Case Generation

Not just review — it also generates three types of test cases:

Type	Covers
✅ Functional	CRUD, state flows, component rendering
⚔️ Adversarial	XSS injection, SQL injection, overflow
🔲 Edge Cases	Null, 0, negative, MAX_SAFE_INTEGER

Output includes descriptions and runnable test code (auto-detects your stack: Vitest / Jest / pytest / Go testing).

CI/CD Integration

GitHub Actions

- name: AI Code Review
  run: npx ai-review-pipeline --json
  env:
    OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}

Git Hook (lefthook)

# lefthook.yml
pre-push:
  commands:
    ai-review:
      run: npx ai-rp --fix --max-rounds 3

Auto-review before push. Blocks if issues remain.

Key Design Decisions

Unified Pipeline, Not Separate Commands

In v2, I had three commands: review, fix, test. After using it daily, I realized:

90% of the time you want "review + tests + report" in one shot.

v3 unified everything into one pipeline. --fix is an enhancement flag. Old commands kept as aliases for backward compatibility.

Safety Mechanisms

Auto-fix has a safety valve: the fixed file can't be less than 50% of the original. Prevents AI from "fixing" by deleting half your code.

Zero Dependencies

The entire tool has 0 required dependencies. Node.js 18+ built-in fetch for API calls, child_process for git, fs for files. The only optional peer dependency is https-proxy-agent for proxy setups.

Exit Codes for CI

Scenario	Exit Code	Meaning
Review passed	`0`	All clear
Has 🔴 issues	`1`	Block merge
`--fix` success	`0`	Fixed + committed
`--fix` failed	`1`	Still has issues

Even when --fix fails, tests and report are still generated — the report is for humans, not for passing CI.

How It Compares

Feature	ai-review-pipeline	CodeRabbit	SonarQube
Setup	`npx`, zero config	SaaS, signup	Deploy server
Dependencies	0	—	Java runtime
Auto-fix	✅ Multi-round	❌	❌
Test gen	✅ 3 types	❌	❌
AI models	6 providers + local	Fixed	Rule engine
Data privacy	Ollama = fully local	Code → cloud	Self-hosted ok
Cost	Pay per token (pennies)	$15/mo+	Community = free

The key difference: this is a CLI tool, not a SaaS. Your code goes directly to the AI API — no middleman server.

Project Config

npx ai-rp init

Generates .ai-pipeline.json — commit to git, share with team:

{
  "review": {
    "threshold": 95,
    "maxRounds": 5,
    "customRules": [
      "No any types allowed",
      "API keys must not be hardcoded",
      "All API calls must have error handling"
    ]
  },
  "test": {
    "stack": "auto",
    "maxCases": 8
  }
}

customRules is the highlight — write your team's standards, AI enforces them on every review.

Quick Reference

# Default: review + tests + report (read-only)
ai-rp
ai-rp --file src/views/Home.vue --full
ai-rp --file src/ --full

# Fix mode: review + auto-fix + tests + report
ai-rp --fix
ai-rp --fix --file src/a.vue --full --max-rounds 3

# Standalone test generation
ai-rp test --file src/utils.ts

# Initialize config
ai-rp init

Try It

npx ai-review-pipeline --file src/ --full

3 minutes to give your codebase a health check.

If you found this useful, check out the repo and drop a ⭐:

👉 GitHub - ai-review-pipeline
📦 npm - ai-review-pipeline

Got questions or feedback? Drop a comment below — I read every one.

DEV Community: Conor

I Built an AI Code Review Pipeline — One Command for Review + Auto-Fix + Tests + Report

I Built an AI Code Review Pipeline — One Command for Review + Auto-Fix + Tests + Report

The Problem: Who Reviews AI-Generated Code?

What It Does

Default Mode: Review + Tests + Report (Read-Only)

--fix Mode: Automated Fix Loop

Get Started in 30 Seconds

6 AI Providers, Auto-Detected

What It Reviews

🔴 Critical (Blocks Merge)

🟡 Warning (Should Fix)

🟢 Info (Improve Later)

Test Case Generation

CI/CD Integration

GitHub Actions

Git Hook (lefthook)

Key Design Decisions

Unified Pipeline, Not Separate Commands

Safety Mechanisms

Zero Dependencies

Exit Codes for CI

How It Compares

Project Config

Quick Reference

Try It